2

How To Enable MFA for External Users Office 365

Whether you’re focusing on internal or external users, having 2-factor enabled so people can access resources in your org is always a recommended practice to enhance your security footprint. Today, we’re going to focus our efforts using conditional access to enable MFA for external users Office 365.

Requirements

In order to move forward with enabling multi-factor authentication for guest users there are a couple of requirements that are needed. Let’s list them out here so we have a clear understanding of what they are.

  • Azure AD Premium license (P1 or P2)
  • A valid external email account that you can add as B2B guest user

In my lab tenant, I have EMS-E5 licenses which is P2 so I’m good to use conditional access policies to get this all setup.

End User Experience and What to Expect

To give you some context on how I’m testing this in my lab tenant, I’ve granted the external user who is named “Guest User” access to a SharePoint site that I’ve created for this purpose.
 

The SPO site, Project Gladiator, has an “ExternalUser” folder that I’ve setup to mimic a real-world scenario. This folder is where people from other orgs will update their notes to use for collaboration.

Project-Gladiator
 

At this point, I’ve sent an invitation to the guest user and they have accepted the invite. Next, I copied the link to that folder and sent over to the external user so they can access the resources that are setup at their convenience.
 

For now, we’ll take a moment to check in on the user experience before and after the policy is enabled.

What to Expect if the User has MFA Enabled

Let’s take a moment to clear the air first. If a user has MFA enabled on their own home tenant, this doesn’t mean that they’ll be prompted to confirm their identity with an MFA prompt on your resource tenant. There are now ways to trust the MFA claims from the home tenant using Cross Tenant Access Policies (xtap) but that’s a little outside the scope of the this article.
 

It will actually take some effort to enable MFA on a resource tenant if you’re not enforcing it so chances are they won’t do unless you make them.
 
MFA for External Users Office 365

However, if a user has enrolled in MFA in the resource tenant, then they’ll continue to be prompted for MFA as they previously have.

What to Expect if MFA is not enabled for the User

Since there aren’t any policies that are enforcing MFA for external (guest, B2B etc..) users, this user is able to get in with just a username and password. If someone potentially compromised the remote credentials, they now have access to your tenant. This is obviously a no-no and is the reason why enabling MFA is so vital to security.
 

We haven’t touched on how to enable the policy yet, however, what can we expect when we enable MFA for external users Office 365 / Azure AD?
 

Once you enable the policy, the user would be shown the typical prompt for when a user tries to enroll in MFA in the home tenant.

Guest User MFA Enrollment

How To Enable MFA for External Users Office 365

Now that we know what it looks like, next up is to use a conditional access policy template in Azure AD to set it up. As mentioned, this would require you have a premium license so hopefully you have that setup in you tenant so you can follow along. Let’s review the steps needed to enable this policy.

In Azure AD:

MFA for External Users Office 365 - Create Conditional Access Policy External Users
 

  • Under Customize your build: select Identities and click Next
  • select Require multi-factor authentication for guest access and click Next

Require MFA for Guest Access
 

  • Review the policy and confirm it is in Report-only
  • Click Create Policy

MFA for External Users Office 365
 

Important: Leave the policy in Report-only for now. We’ll still need to make adjustments before enabling it.

 

Now let’s go back into the policy and under Assignments -> Exclude: Enter the breakglass account and an MFA exclusions group in your own tenant. Hopefully this won’t be needed, but if someone decides to modify the policy and applies it to people in your org, you’ll at least have some specific exclusions in place.
 

Finally, enable the policy and click save. External users will now need to enable MFA to access resources in your home tenant.
Exclude MFA users

Conclusion

Hopefully this article showed you how to enable MFA for external users Office 365 and was easy to follow along. If you haven’t done so already, be sure to enable MFA for your regular users to ensure you’re covered across the board.

5/5 - (8 votes)

Paul Contreras

Hi, my name is Paul and I am a Sysadmin who enjoys working on various technologies from Microsoft, VMWare, Cisco and many others. Join me as I document my trials and tribulations of the daily grind of System Administration.

2 Comments

  1. I have MFA already enabled and we have selected all users. Will this by default apply to guest and externals users? I want to make sure because everything I have read talks about assigning MFA to specific groups, where we went and applied it to all users.

    • This should also apply to guests as well as long as you didn’t exclude guest users in your options.

Leave a Reply

Your email address will not be published.